The short answer
Attackers exploited a critical unauthenticated remote-code-execution flaw in Oracle PeopleSoft (CVE-2026-35273) as a zero-day between 27 May and 9 June 2026, and the ShinyHunters extortion group claims it stole data from more than 300 PeopleSoft instances across 100 organizations, including Nissan. Oracle shipped an emergency out-of-band patch on 10 June, but the two-week head start means exposed instances must be treated as potentially already breached — patching alone did not close the incident.
The practical reading for engineering leaders: this is a story about internet-facing enterprise software holding sensitive data, not about one bad Oracle bug. The systems that hurt most when breached — HR, finance, ERP — are exactly the legacy platforms teams leave exposed and under-monitored. The durable fixes are reducing exposure, hunting for compromise, and treating major vendors as critical third parties with a real incident plan.
What actually happened?
Oracle PeopleSoft is a decades-old enterprise suite that many large organizations still run for human-capital management (HCM), finance and campus administration. In late May 2026, attackers began exploiting CVE-2026-35273, a critical unauthenticated remote-code-execution vulnerability, against internet-reachable PeopleSoft servers. Because the flaw needs no login, any exposed instance was a candidate. Google's Mandiant later confirmed the exploitation ran as a zero-day from 27 May to 9 June 2026, and Oracle responded with an emergency out-of-band security alert and patch on 10 June — outside its normal quarterly Critical Patch Update cadence, which is how Oracle signals “fix this now.”
That roughly two-week gap is the whole story. By the time the patch existed, attackers had already spent a fortnight harvesting data from unpatched systems, so remediation could not be “apply the update and move on.” Every organization with an exposed PeopleSoft instance had to assume compromise and hunt for it. This is exactly the scenario where a focused security audit and compromise assessment earns its keep: confirming whether data actually left, not just whether the hole is now closed.
The victim list makes the stakes concrete. Nissan confirmed that attackers may have stolen employee data; other confirmed names include the National Association of Insurance Commissioners and several universities, among them the University of Nottingham. By early July, additional disclosures were arriving in clusters as more organizations completed their investigations — a pattern that typically continues for weeks after a mass campaign like this.
Why is a data-theft zero-day worse than a typical patch?
A normal patch cycle assumes you can install the fix before anyone weaponizes the bug. A zero-day inverts that: the fix arrives after exploitation is already under way, so the update stops future entry but does nothing about what already left. When the target is a system like PeopleSoft HCM, what leaves is the crown jewels. HCM holds the complete workforce master file — names, addresses, Social Security and other government identification numbers, bank accounts used for direct deposit, tax-withholding data, and dependent and beneficiary records. In Nissan's case, that reportedly spans current and former employees across the US, Canada, Mexico and Brazil. One successful exploit yields an entire company's personnel history, not a slice of it.
There is a second reason this class of incident stings: the systems involved are usually old, business-critical and quietly under-invested. Teams hesitate to touch a working ERP, so it drifts — exposed to the internet for a long-forgotten integration, patched on a lazy schedule, and monitored less closely than the shiny new microservices next to it. That neglect is precisely what makes legacy enterprise software a preferred target. Bringing those systems into a real software-modernization plan — or at least behind current access controls and monitoring — is the structural fix that patching alone never delivers.
Who is behind it and what do they want?
The campaign is attributed to ShinyHunters, an extortion ecosystem that steals data and then pressures victims to pay to prevent its release — a data-theft-and-extortion model rather than file-encrypting ransomware. ShinyHunters told BleepingComputer it breached more than 300 PeopleSoft instances across 100 organizations, and Mandiant said it notified over 100 affected organizations, independently corroborating the scale. Only a handful have confirmed publicly so far, which means the true count of disclosed victims is very likely to keep growing.
For teams in regulated sectors, the extortion angle raises the regulatory stakes. A confirmed theft of employee or customer personal data triggers breach-notification clocks — 72 hours under the EU's GDPR, plus a widening patchwork of US state deadlines — and, for financial entities, feeds directly into the EU's DORA obligations on ICT-incident reporting and third-party risk. If you operate in FinTech or handle EU personal data, a vendor's zero-day can quickly become your compliance event, which is why the response has to be legal-and-technical from hour one, not a patch ticket alone.
What it means for US & EU software teams
Strip away the vendor name and three durable lessons remain. The first is about attack surface. The single biggest risk multiplier here was that a sensitive back-office system was reachable from the open internet. Enterprise apps like ERP and HCM rarely need to be public; putting them behind a VPN, identity-aware proxy or allow-list turns an internet-wide zero-day into a contained internal one. Inventory what is exposed before an attacker does the inventory for you.
The second is data minimization. The damage scaled with how much sensitive data one system held. Teams that segment personal data, tokenize identifiers, and avoid concentrating every employee record in one internet-adjacent platform give a single breach far less to take. This is ordinary good enterprise engineering discipline; a mass campaign just makes the cost of ignoring it visible.
The third is vendor risk as a first-class concern. Your security posture is only as strong as the third parties you cannot patch yourself. Major SaaS and ERP vendors are critical dependencies: know their patch and disclosure track record, subscribe to their security advisories, and have a written plan for the day one of them ships an out-of-band fix. Concentration on a few large platforms is efficient, but it makes each vendor's worst day your worst day too — plan for it deliberately, and where sensitive data is involved, wire in breach-notification and data-protection steps before you need them.
What to do this week
Here is the shippable version. Treat CVE-2026-35273 as a prompt to close this specific hole and to fix the pattern that made it dangerous.
- Patch, then hunt. Apply Oracle's fixed PeopleSoft build immediately — then hunt for compromise across the 27 May–9 June window. Patching stops new entry; it does not tell you whether data already left.
- Get enterprise apps off the open internet. Put PeopleSoft and peers (ERP, HCM, finance) behind a VPN, identity-aware proxy or IP allow-list. Public exposure of back-office systems should be the rare, justified exception.
- Inventory your internet-facing surface. Enumerate every externally reachable application and admin panel. You cannot defend an asset you have forgotten you exposed.
- Assume breach for exposed instances. If an instance was reachable pre-patch, notify legal early and start breach-notification timers (GDPR 72h; relevant US state and DORA rules) rather than waiting for certainty.
- Minimize the blast radius. Segment and tokenize sensitive personal data so no single system holds the entire workforce or customer file in exploitable form.
- Formalize vendor risk. Track your critical vendors' advisories, keep an out-of-band-patch runbook, and rehearse the response before the next emergency alert lands.
None of this is legal advice, and your exact obligations depend on your sector and jurisdiction. But the strategic signal is hard to miss: the systems most dangerous to lose are often the oldest and least watched. The advantage goes to teams that keep those systems off the open internet, hold less sensitive data in each one, and treat every critical vendor's emergency patch as a drill they have already run.
Frequently asked questions
What is CVE-2026-35273 in Oracle PeopleSoft?
It is a critical, unauthenticated remote-code-execution vulnerability in Oracle PeopleSoft that let a remote attacker run arbitrary code on an internet-reachable server without valid credentials. Attackers used it to steal data rather than encrypt systems. Oracle rated it critical and shipped an emergency out-of-band patch on 10 June 2026 after it was already being exploited.
How long was the flaw exploited before Oracle patched it?
Google's Mandiant says it was exploited as a zero-day between 27 May and 9 June 2026 — about two weeks — before Oracle released an emergency out-of-band patch on 10 June. In that window, any internet-facing, unpatched PeopleSoft instance was effectively open, so patching alone did not resolve the incident; exposed systems had to be treated as potentially breached.
How many organizations were affected?
ShinyHunters told BleepingComputer that more than 300 PeopleSoft instances across 100 organizations were breached, and Mandiant said it notified more than 100 affected organizations, corroborating that scope. Only a handful have publicly confirmed so far, including Nissan, the NAIC and several universities; most victims have not yet disclosed.
What data did the Nissan breach expose?
Nissan said attackers may have accessed employee contact information, banking information, Social Security numbers, Social Insurance Numbers, national identification numbers, financial and tax information, and dependent and beneficiary details for current and former employees in the US, Canada, Mexico and Brazil. PeopleSoft HCM holds the full workforce master file, so one exploit can expose an entire personnel record set.
What should software teams do about it?
Patch to Oracle's fixed build immediately, then hunt for compromise across the exploitation window instead of assuming the patch closed the case. Inventory internet-facing enterprise apps and move them behind access controls, minimize the sensitive data each system holds, and treat major vendors as critical third parties with a documented incident-response and breach-notification plan — especially under GDPR or DORA.
Sources
SecurityWeek — Nissan Employee Data Breached in Oracle PeopleSoft Hack
BleepingComputer — Nissan discloses employee data breach linked to Oracle zero-day attacks
SecurityWeek — Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
Help Net Security — Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert (CVE-2026-35273)